Arreva Blog

Password Security: 5 Ways to Keep Your Donors’ Data Safe

Cybersecurity should be a major priority for all kinds of businesses and groups, but especially nonprofit organizations!

By accepting donations of any kind, it’s your responsibility to properly steward those funds. As we’ve learned over the past couple years, the pace of data breaches and major cybersecurity threats only accelerates. This means that responsible stewardship must encompass your donors’ data as well as their gifts!

Boosting your nonprofit’s online visibility is of course essential for reaching more donors, growing your base of support, and pursuing your mission, but it can also make your organization a bigger target! More online interactions with your donors create more vulnerable entry points for data thieves and hackers.

Securing your login systems is the first step to bolstering your organization’s data defenses more generally. This means your internal management and data platforms, your online fundraising tools that process donations, and your outward-facing login system for members and donors. A few best practices to adopt today include:

Eliminate vulnerable password systems.

Create stronger login protocols.

Train your staff on email security.

Keep all your tools fully updated.

Implement lean data practices.

Before we run through these core points, consider reading through our more comprehensive Swoop password security guide. A solid understanding of basic internet security practices goes a long way to help identify the tools and techniques that could be most effective for your nonprofit.

Ready to dive in? Let’s get started.

1. Eliminate vulnerable password systems.

The easiest way to remove the risk of data breaches through vulnerabilities in your login systems? Eliminate passwords altogether.

It may be surprising for some to learn that the traditional username and password login is far from the most secure (or even efficient) method out there for granting digital access. It’s simply the one that caught on the fastest.

Passwordless login systems build on a classic digital technique, the mailto link, and combine them with innovative security protocols to deliver a unique and much more secure experience for users and online donors.

Here’s how it works: Your user enters their email address to begin logging in, then a new email message is generated. It contains a randomly generated and encrypted key code which, when sent by the user, is run through multiple layers of security and decryption algorithms.

The secure server validates the email address, key code, and IP address to grant access in just 2 clicks, all without the need to remember yet another password. There are a few major benefits to passwordless login systems:

More secure. Email is already one of the most secure tools we use for authenticating users, so processing advanced encrypted keys through email is the logical next step.

Universal solution. Everyone has an email address and remembers it because we use our email to log in to all kinds of online accounts.

Huge boost to user experience. Forcing users to create new accounts, input tons of information, and create a password (then remember it!) is a waste of everyone’s time.

Reduced donor abandonment. 2-click passwordless login actively encourages new donors to make a gift by keeping the process incredibly fast and easy.

As simple passwords become more easily hackable, they become obsolete. With the added benefits of passwordless login systems, adopting one for your nonprofit’s online platforms makes more sense for everyone involved.

2. Create stronger login protocols.

If you choose to retain the traditional username and password login system, there are still a few best practices you should follow to bolster its security as much as possible. This is particularly true as more and more nonprofits move towards conducting a bulk of their major fundraising online.

These best practices apply equally to your internal processes and donor-facing online activities:

Urge or require staff, volunteers, and donors to create unique (or even randomized) passwords using numbers and special characters.

Install a password manager tool on your computers to reduce the logistical confusion that can result from creating new layers of internal security.

Institute 2-factor authentication protocols. This means using an additional method to validate the user’s identity, the most common being a key code texted to their phone.

Exploring and researching more tips like these are essential if your nonprofit’s membership program makes use of management tools and platforms. Membership software helps with all kinds of digital tasks, from engaging members, collecting data, accepting donations and payments, and sending messages to users.

That’s a lot of interaction, some of it involving highly sensitive information! Take the time to ensure that all your digital tools make use of responsible and advanced login security protocols.

3. Train your staff on email security.

Internal mail security is surprisingly still a major vulnerability for tons of businesses and organizations!

Make sure your staff is aware of all the risks that poor security practices can pose to not only your own operations but also to the sensitive data that your donors have entrusted to you. A single data breach is all it takes to destroy a reputation.

Plus, even though most businesses train their new hires on internal security policies, many nonprofits use more ad hoc series of security practices that have been patched together by individual forward-thinking staff members or volunteers over the years. If this sounds like your organization, it’s time for an immediate update.

This is especially important if you regularly conduct major email marketing campaigns, since they represent a vulnerable and large point of contact between swathes of your own database and the donors themselves.

Some important practices you and your staff or volunteers should implement include:

4. Keep all your tools fully updated.

Keeping all your digital tools fully updated at all times is the easiest and perhaps single most important step you can take to boost your nonprofit’s digital security.

This includes any software that requires a password, accepts online donations, processes payment information, or is directly used by donors. For your nonprofit these likely include:

Your internal management system

Your internal messaging or email tools

Fundraising software and third-party donation platforms

Your membership management software

Your website, including all inward and outward-facing elements

There are a few quick fixes you can implement in your nonprofit’s website if you use a leading site building platform like WordPress. Many top security plugins for WordPress sites are even free! Add them to your online security toolkit to bolster your defenses all-around.

However, we all know that it can be too easy to ignore repeated software update requests. Just look at your smartphone or personal laptop. Neglecting updates can needlessly pose a huge risk to your donors’ data!

Software updates typically include security improvements, and they’re oftentimes developed directly in response to a major new threat that has only recently emerged.

Take ransomware, for instance. This new type of cybersecurity attack was able to very effectively target huge digital networks in a burst of activity because 1) awareness of its threat was still low and 2) large-scale defenses hadn’t yet been developed.

That narrow window of opportunity was how the first major ransomware attacks were so successful, but un-updated software out there is still vulnerable!

5. Implement lean data practices.

Whether it’s via email, donation processing tools, or membership platforms, you have to collect and manage your donors’ data responsibly. This is particularly crucial when your donors or members must create password-protected accounts to access their profiles, look up information, or make payments.

Following some lean data practices is an important part of modern digital stewardship for nonprofit organizations. They include:

If you don’t need a piece of data, don’t collect it. This is a best practice for boosting your online user experience, too. When using online fundraising tools, don’t irritate or slow down your donors by soliciting too much information. While data on your supporters is useful for marketing campaigns, during a donation is not the time to ask for it.

Organize and protect data that you do collect. Choose a top CRM platform, preferably one that’s specifically designed for nonprofits, to house and manage your donor data. Their security features plus an established or automated data reporting system will ensure that no sensitive material is allowed to fall through the cracks.

Encrypt it while you move it. When transferring data, for instance when migrating your member database or email archive, always encrypt it. Copying and transferring your data opens up a window of vulnerability. Thankfully, it’s easy to find encryption tools to scramble your sensitive data, migrate it, then unscramble it again in a safe new location.

Most importantly, be transparent. In any digital space that can accept payment or personal information from donors, take the time to explain your organization’s data practices.

After all, the nonprofit/donor relationship is characterized by gratitude, respect, and honesty.

If you still require your online users, donors, staff members, and volunteers to use passwords to access and provide sensitive digital materials, it’s crucial that your nonprofit institutes some cybersecurity best practices.

Login systems are the perfect place to start! Carefully think about any vulnerabilities that might exist in yours, then get to work finding the right solution. Your donors will thank you.

John Killoran founded Swoop in May 2011. Swoop is an authentication technology designed to eliminate passwords on the internet. Our technology is used for donations, signing into websites and bill payment. Swoop is a technology that was developed by John's other company, Clover Leaf.